[c-nsp] Block traffic between users in the same vlan

Matt Buford matt at overloaded.net
Thu Apr 14 00:59:38 EDT 2005 

Just to eliminate confusion, private VLANs and PSPF will result in machines 
on the same subnet being unable to communicate.  It does not force traffic 
through the router - it blocks all traffic except that to the router, which 
means ARPs between hosts go unanswered.

If you would like to have layer 3 communication between hosts on the same 
subnet work across private VLANs (allowing you to use layer 3 filtering, 
PBR, and whatever else you want) see the "local proxy arp" feature that can 
be enabled with private vlans.  This works by enabling proxy arp for hosts 
within the same subnet.  So, for example, when 10.0.0.10/24 arps for 
10.0.0.11/24 private VLANs mean only the router sees this.  Local proxy arp 
means the router responds with its own mac address.  A traceroute from 
10.0.0.10 to 10.0.0.11 has 2 hops, with the router between the two hosts on 
the same subnet.

In my case, I use this because it allows scaling of large layer 2 networks 
with decent isolation between hosts.  It isn't quite as good as a VLAN per 
customer, but it gives you most of the benefits without the hassle.

This is supported on 6500 with MSFC, however it seems they don't quite have 
all the bugs worked out yet.  I currently have a case open about ARPs 
becoming broken when the ARP timeout hits.  I've temporarily worked around 
the problem by using an infinite ARP timeout, as this bug does not seem to 
be fixed in current releases.

----- Original Message ----- 
From: "Church, Chuck" <cchurch at netcogov.com>
To: "Ruben Montes" <Ruben.Montes at eu.didata.com>; "Erdem Sener" 
<erdem.sener at borusantelekom.com>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, April 13, 2005 11:52 AM
Subject: RE: [c-nsp] Block traffic between users in the same vlan


In CatOS, protected switchports are referred to as Private VLANs.  See:
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a008017acad.shtml


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ruben Montes
Sent: Wednesday, April 13, 2005 11:47 AM
To: Erdem Sener; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Block traffic between users in the same vlan

Hello,

yes, I know the command switchport protected, but cat6500/4500 don't support 
it. I think  VACL (VlansACL) are the solution, but i have never configured 
it and I don't know its behavior.
Any help would be appreciated.

Best regards,

Ruben

-----Mensaje original----- 
De: Erdem Sener [mailto:erdem.sener at borusantelekom.com]
Enviado el: mié 13/04/2005 17:39
Para: Ruben Montes; cisco-nsp at puck.nether.net
CC:
Asunto: RE: [c-nsp] Block traffic between users in the same vlan





Hello,


You could do "switchport protected" on each vlan interface, which will
force the traffic between
ports going through a layer3 device, default gateway in your case.

Erdem

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ruben Montes
> Sent: Wednesday, April 13, 2005 6:07 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Block traffic between users in the same vlan
>
> Hello,
>
> I want to block traffic between users in the same vlan: the
> only communication allowed will be with the default gateway
> of this vlan.
>
> source dest action
> 192.168.1.0/24 192.168.1.1/32(gateway) permit
> 192.168.1.0/24 192.168.1.0/24 deny
> 192.168.1.0/24 not(192.168.1.0/24) permit
>
> Can this be accomplished with VACLs? This is a wifi
> environment and we want to block all access between wifi
> clients. I know there's a functionality called PSPF, but this
> only applies to clients associated in the same AP.
> Any working configuration would be appreciated.
>
> Regards,
>
> Ruben
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


UYARI/NOTIFICATION:
***************************************************************************
Bu e-posta ve ekleri sadece gonderilen adres sahiplerine aittir. Bu mesajin 
yanlislikla tarafiniza ulasmis olmasi halinde, lutfen gondericiye derhal 
bilgi veriniz ve mesaji sisteminizden siliniz. BORUSAN TELEKOM bu mesajin 
icerigi ve ekleri ile ilgili olarak hukuksal hicbir sorumluluk kabul etmez. 
Gonderen taraf hata veya unutmalardan sorumluluk kabul etmez.

The information contained in this e-mail and any files transmitted with it 
are intended solely for the use of the individual or entity to whom they are 
addressed.If you received this message in error, please immediately notify 
the sender and delete it from your system.BORUSAN TELEKOM doesn't accept any 
legal responsibility for the contents and attachments of this message.The 
sender does not accept liability for any errors or omissions.

***************************************************************************


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list